Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp437573pxm; Wed, 2 Mar 2022 01:20:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJwUr0lEIghbEtgLHuAfti4nDE2MjqtzI46TZp/CUF5t4UDPluKrCAce/fCvaN35DqbdQq56 X-Received: by 2002:a17:906:b57:b0:6ce:e31a:524 with SMTP id v23-20020a1709060b5700b006cee31a0524mr21850146ejg.290.1646212819135; Wed, 02 Mar 2022 01:20:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646212819; cv=none; d=google.com; s=arc-20160816; b=gwdN4EP3Fyh9zQ0kwfiBQUDfzVL0vkdPXY4jwVF6jfoIci3vJb+FOe7wArPG7f3BOv iz9s2Avxi/1FTK4zFgSi5faLsjeV8yI4r7IJ5f8gMzoMNPW47oqCeiLh3kAEJQRSrnDj DjKfqPI/faKjyVl64FwTdVLwdjnMNficTCvulbn8WlI7dD20GJZEBVS0kts3Y+40qUpN vJLGuH9XphZyqhdOUXtczb9pMqOLFcloq/Doc1E+jUYliRGbK1QpqNFrQWdlNIlo+ual Wy/GTLTbKYNkaj9tighhNNgCD1FKW7DurGMwv4i22uDPZODl6LoNKiQf3uCToNsB5FzW 88FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:message-id:references :in-reply-to:subject:cc:to:from:date:mime-version; bh=tSXcdkWAp3i9zngyB+ueW6DoBAJHin6NqEQ/IVYGPJs=; b=szA5nqcu4qN6sJeb8+mW8dTZBpAlJ71qwvb2wQU5oJnWcWs1KZrosd3KmzU5pqTu3K l47qQuVL7Gm3u0JbQKZBqv9thIq+kmzDI9/1cxmMiRX+HmH/1Rmh2/8Cs2qSdvWhfWlU Q5hJXUieviakdKIjwfIENv452Udj3GnZaIU6N2ItfxME0ct6dN0Fq0l7trjNOtP7c2O/ 2XxQ8N2fMASnfk7r8XeBQztEWxeHFxKlJ+j5KQGopWFDp9HDnfXoDHN4z8bLTmI1j7pl wRdxndgy3FQyXsI17xYZtv4LVKnc7Pq5nESS7QMIbawkeYPGuW2m7na/agiRZOtHBsgh po1g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w21-20020a056402269500b00413b3fbb320si6985293edd.551.2022.03.02.01.19.56; Wed, 02 Mar 2022 01:20:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239354AbiCBDdg (ORCPT + 99 others); Tue, 1 Mar 2022 22:33:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35450 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229911AbiCBDdf (ORCPT ); Tue, 1 Mar 2022 22:33:35 -0500 Received: from relay6-d.mail.gandi.net (relay6-d.mail.gandi.net [IPv6:2001:4b98:dc4:8::226]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D783C140AF for ; Tue, 1 Mar 2022 19:32:52 -0800 (PST) Received: (Authenticated sender: joao@overdrivepizza.com) by mail.gandi.net (Postfix) with ESMTPA id 834F1C0004; Wed, 2 Mar 2022 03:32:47 +0000 (UTC) MIME-Version: 1.0 Date: Tue, 01 Mar 2022 19:32:47 -0800 From: Joao Moreira To: Peter Collingbourne Cc: Peter Zijlstra , Kees Cook , x86@kernel.org, hjl.tools@gmail.com, jpoimboe@redhat.com, andrew.cooper3@citrix.com, linux-kernel@vger.kernel.org, ndesaulniers@google.com, samitolvanen@google.com, llvm@lists.linux.dev Subject: Re: [RFC][PATCH 6/6] objtool: Add IBT validation / fixups In-Reply-To: References: <20211122170301.764232470@infradead.org> <20211122170805.338489412@infradead.org> <6ebb0ab131c522f20c094294d49091fc@overdrivepizza.com> <202202081541.900F9E1B@keescook> <202202082003.FA77867@keescook> <9ea50c51ee8db366430c9dc697a83923@overdrivepizza.com> <20220211133803.GV23216@worktop.programming.kicks-ass.net> Message-ID: X-Sender: joao@overdrivepizza.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-03-01 19:06, Peter Collingbourne wrote: > Hi Peter, > > One issue with this call sequence is that: > > On Fri, Feb 11, 2022 at 02:38:03PM +0100, Peter Zijlstra wrote: >> caller: >> cmpl $0xdeadbeef, -0x4(%rax) # 7 bytes > > Because this instruction ends in the constant 0xdeadbeef, it may > be used as a "gadget" that would effectively allow branching to an > arbitrary address in %rax if the attacker can arrange to set ZF=1. > >> je 1f # 2 bytes >> ud2 # 2 bytes >> 1: call __x86_indirect_thunk_rax # 5 bytes >> >> >> .align 16 >> .byte 0xef, 0xbe, 0xad, 0xde # 4 bytes >> func: >> endbr # 4 bytes >> ... >> ret > > I think we can avoid this problem with a slight tweak to your > instruction sequence, at the cost of 2 bytes per function prologue. > First, change the call sequence like so: > > cmpl $0xdeadbeef, -0x6(%rax) # 6 bytes > je 1f # 2 bytes > ud2 # 2 bytes > 1: call __x86_indirect_thunk_rax # 5 bytes > > The key difference is that we've changed 0x4 to 0x6. > > Then change the function prologue to this: > > .align 16 > .byte 0xef, 0xbe, 0xad, 0xde # 4 bytes > .zero 2 # 2 bytes > func: > > The end result of the above is that the constant embedded in the cmpl > instruction may only be used to reach the following ud2 instruction, > which will "harmlessly" terminate execution in the same way as if > the prologue signature did not match. FWIIW, this makes sense IMHO. These additional pre-prologue bytes are also what might be needed to enable the smaller version of FineIBT that I suggested in this thread some time ago.